[dns-operations] [Ext] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Apr 13 21:46:00 UTC 2022 

On Wed, Apr 13, 2022 at 11:08:03PM +0200, Petr Menšík wrote:

> We have no feedback from our customers on this topic yet, because
> already released RHEL 9 Beta did not contain the responsible change.
> Final RHEL 9.0 haven't been released yet. I am trying to receive
> feedback how critical this change can be. What types of deployments can
> it affect or even break?

If a customer for one reason or another is using their own build of a
validating resolver that lacks work-arounds for the crippled crypto
libraries, then they're liable to fail to resolve O(1M) affected DNS
zones.

If such a zone houses a sufficiently widely used MX host, then all
domains served by the MX host will at least lose DNSSEC protection,
and perhaps suffer email delivery outages.

> I think SMTP services using DANE might be hit by this change.

I see 6741 domains that would no longer be DANE protected if downgraded
to "insecure" because these domains are directly signed with algorithm
5 or 7.  I also see 1185 additional zones that would not longer be DANE
protected, because their TLD might become "insecure".

More significantly, I see 241,919 MX records of DANE-enabled domains
would become "insecure".  This is a rather non-trivial footprint. Or
O(100k) affected domains given multiple MX records per domain.

> I don't have any numbers how many our customers need SHA-1 domains
> secure. I would like to receive any opinions here. Ideally backed by
> some numbers.

See above.

> This decision were not made by me and I had no vote for it before it
> was done. I try to reduce negative impact of it. But probability of
> reverting that change just because DNSSEC validators not prepared for
> it is low. Unless it has dramatic negative impact which I haven't
> found so far.

~250k MX hosts previosly protected by DANE would be downgraded to
unauthenticated opportunistic TLS when the sending MTA is behind an
affected resolver running with the new DEFAULT policy.

The top five counts of (domain, MX host) pairs are:

     154340 transip.email
      61085 transip.nl
      12276 mailbox.org
       4690 ns0.email
       2660 secure-gw.de
        ...

For TransIP alone this accounts for 159,352 customer domains.

-- 
    Viktor.

More information about the dns-operations mailing list